Platform
nginx
Component
nginx
Fixed in
8.2.7
8.2.7
CVE-2026-27811 describes a Command Injection vulnerability discovered in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. This vulnerability allows authenticated users to execute arbitrary system commands on the application host, potentially leading to complete system compromise. The issue affects versions of Roxy-WI up to and including 8.2.6.3, and a fix is available in version 8.2.6.3.
The impact of CVE-2026-27811 is significant due to the ability to execute arbitrary system commands. A successful attacker could gain complete control over the server hosting Roxy-WI, enabling them to steal sensitive data, install malware, or pivot to other systems on the network. The vulnerability resides in the /config/compare/<service>/<server_ip>/show endpoint, where user input is directly incorporated into a template string without proper sanitization. This allows attackers to inject malicious commands that are then executed by the application. Given Roxy-WI's role in managing critical infrastructure components like Nginx and Haproxy, a compromise could disrupt services and impact availability.
CVE-2026-27811 was publicly disclosed on 2026-03-18. No known public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on CISA KEV. The ease of exploitation, given the authenticated nature of the vulnerability and the direct command execution, warrants careful monitoring and prompt patching.
Exploit Status
EPSS
1.04% (77% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27811 is to immediately upgrade Roxy-WI to version 8.2.6.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to filter requests targeting the /config/compare endpoint, specifically looking for suspicious characters or command patterns. Input validation on the server-side, even before the upgrade, can help reduce the attack surface. Regularly review Roxy-WI configuration and access controls to ensure only authorized users have access to sensitive functionality. After upgrading, confirm the fix by attempting to inject a simple command through the /config/compare endpoint; it should be rejected.
Update Roxy-WI to version 8.2.6.3 or higher. This version fixes the command injection vulnerability. The update can be performed through the software's usual distribution channels.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27811 is a Command Injection vulnerability in Roxy-WI versions up to 8.2.6.3, allowing authenticated users to execute arbitrary system commands.
You are affected if you are using Roxy-WI versions 8.2.6.3 or earlier. Immediately assess your deployments.
Upgrade Roxy-WI to version 8.2.6.3 or later. As a temporary measure, implement WAF rules to filter suspicious requests.
No active exploitation has been confirmed at this time, but the vulnerability's ease of exploitation warrants close monitoring.
Refer to the Roxy-WI project's official website and GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.